Track Spark endpoint config blocker

.sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md

@@ -198,3 +198,9 @@ Forbidden next actions:
 - This removes the ambient `~/.pi/agent` dependency from the harness path.
 - This does not prove Case can produce the required `AGENT_RESULT` envelope.
 - `CTO-WORK-028` remains blocked until a configured local provider or another admitted provider returns a valid result envelope and produces a Stage 2 artificial fixture diff.
+
+## Spark Endpoint Config Dependency - 2026-06-01
+
+- `CTO-WORK-030` must be resolved before another configured Qwen local run can retest the Case `AGENT_RESULT` protocol path.
+- Until `CTO_HARNESS_CASE_LOCAL_BASE_URL` is supplied, the harness blocks before Case starts.
+- The agent protocol blocker remains unproven for the isolated Spark endpoint path until Case reaches execution again and returns or fails the required result envelope.

.sot/03-PROTOCOLS/CTO-CASE-LOCAL-PROVIDER-ROUTE-ISSUES.md

@@ -53,10 +53,10 @@ Acceptance:
 Blocked by:
 
 - `CTO-WORK-020` decision record selecting `local_provider_required`.
-- A Case-compatible local provider adapter implementation or supplied local provider endpoint.
+- `CTO-WORK-030` supplying explicit Spark local provider endpoint config.
 
 Current unblock:
 
 - Decision record now selects `local_provider_required`.
 - Harness route blocks before `case_process_started` unless `CTO_HARNESS_CASE_LOCAL_BASE_URL` is supplied.
-- Remaining blocker is supplied local provider endpoint/config plus real Stage 2 pass evidence.
+- Remaining blocker is `CTO-WORK-030` plus real Stage 2 pass evidence.

.sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION-ISSUES.md

@@ -204,3 +204,10 @@ Acceptance:
 - The block reason was missing explicit local provider config, not missing model admission.
 - The required unblock variable is `CTO_HARNESS_CASE_LOCAL_BASE_URL`.
 - `CTO-WORK-020` remains blocked because no real Case Stage 2 pass report exists.
+
+## Spark Endpoint Config Blocker - 2026-06-01
+
+- Qwen local admission remains valid for `qwen-local` / `qwen3.6-35b-a3b`.
+- `CTO-WORK-030` now tracks the missing Spark endpoint config required by `CTO_HARNESS_CASE_LOCAL_BASE_URL`.
+- Missing endpoint config blocks before `case_process_started` and writes `backend/provider-local-config-unavailable.txt`.
+- Endpoint presence alone is not Stage 2 pass evidence and does not unblock `CTO-WORK-020`.

.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-BUILD-ISSUES.md

@@ -160,3 +160,10 @@ Validation Evidence:
 
 - Hermes commit: `4500082 Gate Case execution on admitted model`.
 - Post-merge `harness/evals/health.sh --json` passed.
+
+## Spark Endpoint Config Blocker - 2026-06-01
+
+- `CTO-WORK-030` tracks the missing Spark endpoint config for the selected `qwen-local` / `qwen3.6-35b-a3b` path.
+- The Hermes harness requires `CTO_HARNESS_CASE_LOCAL_BASE_URL` before local Case provider execution can start.
+- Missing endpoint config blocks before `case_process_started` and writes `backend/provider-local-config-unavailable.txt`.
+- `CTO-WORK-016` remains blocked until real Case Stage 2 pass evidence exists through the Harness Evidence Interface.

.sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md

@@ -78,3 +78,10 @@ Any future state must include exact non-secret fields required by `CTO-WORK-020`
 - The fallback remains blocked by the known OpenAI Codex auth bridge gap unless a non-vendor bridge is proven.
 - The local Qwen path remains blocked before Case process start unless `CTO_HARNESS_CASE_LOCAL_BASE_URL` is explicitly supplied.
 - This update changes provider policy only. It does not mark real Case Stage 2 as passed.
+
+## Spark Endpoint Config Reference - 2026-06-01
+
+- `CTO-WORK-030` tracks the runtime Spark endpoint config required for the selected Qwen local path.
+- The required runtime variable is `CTO_HARNESS_CASE_LOCAL_BASE_URL`.
+- The endpoint value must not be copied into SOT, commits, task files, argv examples, backend logs, reports, or traces.
+- A configured endpoint alone does not validate `CTO-WORK-016`, `CTO-WORK-020`, `CTO-WORK-022`, or `CTO-WORK-028`.

.sot/03-PROTOCOLS/CTO-CASE-SPARK-ENDPOINT-CONFIG-ISSUES.md

@@ -0,0 +1,47 @@
+---
+title: CTO Case Spark Endpoint Config Issues
+status: draft
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+route: cto
+---
+
+# CTO Case Spark Endpoint Config Issues
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## CTO-WORK-030 - Spark Local Provider Endpoint Config
+
+Status: blocked.
+
+Supply explicit Spark OpenAI-compatible endpoint config for the selected `qwen-local` / `qwen3.6-35b-a3b` Case path, without storing endpoint secrets in SOT or commits.
+
+Acceptance:
+
+- `CTO_HARNESS_CASE_LOCAL_BASE_URL` is supplied at runtime for the real Qwen Case Stage 2 retry.
+- Missing endpoint config blocks before `case_process_started`.
+- Missing endpoint config writes `backend/provider-local-config-unavailable.txt`.
+- Endpoint values are not written to SOT, task file, argv, backend logs, report, trace, generated config, or commit.
+- Harness report proves `case_model_provider`: `qwen-local`.
+- Harness report proves `case_model`: `qwen3.6-35b-a3b`.
+- Harness report proves `case_model_admission_status`: `admitted`.
+- Harness report proves no fallback to `anthropic` or `claude-sonnet-4-6`.
+- Real Case Stage 2 pass evidence exists only through the Harness Evidence Interface.
+- A configured endpoint alone does not validate `CTO-WORK-016`, `CTO-WORK-020`, `CTO-WORK-022`, or `CTO-WORK-028`.
+- No Target Repository path may be inspected or copied.
+- Same-run fake baseline comparison remains required for any pass claim.
+- `CTO-WORK-016` remains blocked until real Case Stage 2 pass evidence exists.
+- `CTO-WORK-022` remains blocked until explicit endpoint config and real Case Stage 2 pass evidence exist.
+
+Blocked by:
+
+- Spark endpoint availability.
+- Runtime-safe way to provide `CTO_HARNESS_CASE_LOCAL_BASE_URL` without recording secret values.
+
+Current evidence:
+
+- Non-secret readiness check on 2026-06-01 showed `CTO_HARNESS_CASE_LOCAL_BASE_URL=missing`.
+- Existing Hermes harness blocks missing local provider config before `case_process_started`.

.sot/03-PROTOCOLS/CTO-CASE-SPARK-ENDPOINT-CONFIG-PRD.md

@@ -0,0 +1,76 @@
+---
+title: CTO Case Spark Endpoint Config PRD
+status: draft
+lifecycle_classification: sot
+owner: jp
+created: 2026-06-01
+last_reviewed: 2026-06-01
+core_promotion_status: not-promoted
+route: cto
+---
+
+# CTO Case Spark Endpoint Config PRD
+
+Local planning SOT only. Not a Core Protocol. Not active Core authority.
+
+## Problem Statement
+
+`qwen-local` / `qwen3.6-35b-a3b` is now the selected primary Case provider policy, but real Case Stage 2 cannot start until the Hermes CTO harness receives explicit Spark OpenAI-compatible endpoint config.
+
+Current non-secret readiness check showed `CTO_HARNESS_CASE_LOCAL_BASE_URL` is missing. The harness correctly blocks before `case_process_started` instead of falling back to ambient Pi config or an external model.
+
+## Solution
+
+Create a narrow child-local endpoint config route for Spark local provider readiness. The route records exactly what must be supplied and proven before a real Qwen Case Stage 2 retry can count.
+
+## Scope
+
+- Require explicit `CTO_HARNESS_CASE_LOCAL_BASE_URL` for `qwen-local`.
+- Treat the endpoint value as runtime config, not SOT content.
+- Do not store endpoint secrets or credential values in SOT, argv, task file, backend logs, report, trace, generated config, or commit.
+- Require the Hermes CTO harness to keep blocking before `case_process_started` when the local endpoint config is missing.
+- Require missing endpoint config to write `backend/provider-local-config-unavailable.txt`.
+- Require future proof through the Harness Evidence Interface.
+- Keep copied artificial fixture scope only.
+- Require no Target Repository path to be inspected or copied.
+- Keep same-run fake baseline comparison required.
+- Keep `CTO-WORK-020`, `CTO-WORK-016`, `CTO-WORK-022`, and Stage 2 blocked until real pass evidence exists.
+
+## Non-Goals
+
+- Do not discover or print credentials.
+- Do not read secret-bearing Hermes config.
+- Do not mutate Case source, Cortex Core, vendor source, external developer repositories, or Target Repositories.
+- Do not approve a new provider/model.
+- Do not treat endpoint presence as Stage 2 pass evidence.
+- Do not promote Case to copied repo, sandbox repo, owned repo, or default candidate.
+
+## Acceptance Criteria
+
+- The route names `CTO_HARNESS_CASE_LOCAL_BASE_URL` as the required local endpoint config.
+- The route states missing endpoint config blocks before `case_process_started`.
+- The route states missing endpoint config writes `backend/provider-local-config-unavailable.txt`.
+- The route states endpoint values must not be written to SOT or commits.
+- The route states endpoint presence is not Stage 2 pass evidence.
+- The route states a configured endpoint alone does not validate `CTO-WORK-016`, `CTO-WORK-020`, `CTO-WORK-022`, or `CTO-WORK-028`.
+- The route states no Target Repository path may be inspected or copied.
+- The route requires real Case Stage 2 proof through the Harness Evidence Interface before unblocking `CTO-WORK-016`.
+- The route keeps `CTO-WORK-022` blocked until explicit endpoint config and real Stage 2 pass evidence exist.
+- The route keeps fake as the default validation lane.
+
+## Validation
+
+- `python3 tools/validate_cto_child.py` validates this child-local route.
+- Future Hermes focused validation remains `python3 harness/runner/validate-case-provider-adapter.py --harness-root harness --json`.
+- Future real Qwen validation must run copied artificial fixture Stage 2 with `CTO_HARNESS_CASE_LOCAL_BASE_URL` present and no endpoint value written to SOT.
+
+## Risks And Dependencies
+
+- Spark may be unavailable or not serving an OpenAI-compatible endpoint.
+- The endpoint may require credentials or network state outside this workspace.
+- Local model quality may still fail the `AGENT_RESULT` protocol or code-change task after endpoint config is supplied.
+- A supplied endpoint does not remove the need for admitted provider/model proof.
+
+## Success Definition
+
+The Spark endpoint requirement is explicit, secret-safe, and governed. A future operator can supply `CTO_HARNESS_CASE_LOCAL_BASE_URL` and run one real Case Stage 2 proof without guessing which config is missing or allowing fallback behavior.

README.md

@@ -55,6 +55,8 @@ This workspace is registered as a child-local planning workspace. Registration d
 |       |-- CTO-CASE-PROVIDER-DECISION-RECORD.md
 |       |-- CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json
 |       |-- CTO-CASE-MODEL-PROVIDER-ADMISSION.qwen-local-qwen3.6-35b-a3b.json
+|       |-- CTO-CASE-SPARK-ENDPOINT-CONFIG-PRD.md
+|       |-- CTO-CASE-SPARK-ENDPOINT-CONFIG-ISSUES.md
 |       `-- CTO-CASE-AGENT-PROTOCOL-BLOCKER.md
 `-- tools/
     `-- validate_cto_child.py

WORKBOARD.yaml

@@ -145,3 +145,8 @@ items:
     status: validated
     source: .sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.qwen-local-qwen3.6-35b-a3b.json
     owner: ""
+  - id: CTO-WORK-030
+    title: Spark Local Provider Endpoint Config
+    status: blocked
+    source: .sot/03-PROTOCOLS/CTO-CASE-SPARK-ENDPOINT-CONFIG-ISSUES.md
+    owner: jp

tools/validate_cto_child.py

@@ -41,6 +41,8 @@ REQUIRED_FILES = [
     ".sot/03-PROTOCOLS/CTO-CASE-PROVIDER-DECISION-RECORD.md",
     ".sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.openai-codex-gpt-5.5.json",
     ".sot/03-PROTOCOLS/CTO-CASE-MODEL-PROVIDER-ADMISSION.qwen-local-qwen3.6-35b-a3b.json",
+    ".sot/03-PROTOCOLS/CTO-CASE-SPARK-ENDPOINT-CONFIG-PRD.md",
+    ".sot/03-PROTOCOLS/CTO-CASE-SPARK-ENDPOINT-CONFIG-ISSUES.md",
     ".sot/03-PROTOCOLS/CTO-CASE-AGENT-PROTOCOL-BLOCKER.md",
 ]
 
@@ -663,6 +665,42 @@ REQUIRED_PROVIDER_DECISION_RECORD_PHRASES = [
     "Existing evidence paths and commits are referenced only; runtime evidence is not copied into this record.",
 ]
 
+REQUIRED_SPARK_ENDPOINT_CONFIG_PRD_PHRASES = [
+    "Local planning SOT only. Not a Core Protocol. Not active Core authority.",
+    "`qwen-local` / `qwen3.6-35b-a3b` is now the selected primary Case provider policy",
+    "CTO_HARNESS_CASE_LOCAL_BASE_URL",
+    "missing. The harness correctly blocks before `case_process_started`",
+    "Treat the endpoint value as runtime config, not SOT content.",
+    "Do not store endpoint secrets or credential values in SOT, argv, task file, backend logs, report, trace, generated config, or commit.",
+    "Require missing endpoint config to write `backend/provider-local-config-unavailable.txt`.",
+    "Keep `CTO-WORK-020`, `CTO-WORK-016`, `CTO-WORK-022`, and Stage 2 blocked until real pass evidence exists.",
+    "endpoint presence is not Stage 2 pass evidence",
+    "configured endpoint alone does not validate `CTO-WORK-016`, `CTO-WORK-020`, `CTO-WORK-022`, or `CTO-WORK-028`",
+    "no Target Repository path may be inspected or copied",
+    "Harness Evidence Interface",
+    "same-run fake baseline comparison required",
+]
+
+REQUIRED_SPARK_ENDPOINT_CONFIG_ISSUE_PHRASES = [
+    "CTO-WORK-030 - Spark Local Provider Endpoint Config",
+    "Status: blocked.",
+    "CTO_HARNESS_CASE_LOCAL_BASE_URL",
+    "Missing endpoint config blocks before `case_process_started`.",
+    "Missing endpoint config writes `backend/provider-local-config-unavailable.txt`.",
+    "Endpoint values are not written to SOT, task file, argv, backend logs, report, trace, generated config, or commit.",
+    "Harness report proves `case_model_provider`: `qwen-local`.",
+    "Harness report proves `case_model`: `qwen3.6-35b-a3b`.",
+    "Harness report proves `case_model_admission_status`: `admitted`.",
+    "Harness report proves no fallback to `anthropic` or `claude-sonnet-4-6`.",
+    "Real Case Stage 2 pass evidence exists only through the Harness Evidence Interface.",
+    "A configured endpoint alone does not validate `CTO-WORK-016`, `CTO-WORK-020`, `CTO-WORK-022`, or `CTO-WORK-028`.",
+    "No Target Repository path may be inspected or copied.",
+    "Same-run fake baseline comparison remains required for any pass claim.",
+    "`CTO-WORK-016` remains blocked until real Case Stage 2 pass evidence exists.",
+    "`CTO-WORK-022` remains blocked until explicit endpoint config and real Case Stage 2 pass evidence exist.",
+    "Non-secret readiness check on 2026-06-01 showed `CTO_HARNESS_CASE_LOCAL_BASE_URL=missing`.",
+]
+
 
 def workboard_status(text: str, issue_id: str) -> str | None:
     pattern = rf"- id: {re.escape(issue_id)}\n(?:    .+\n)*?    status: ([^\n]+)"
@@ -716,6 +754,22 @@ def main() -> int:
             if issue_id not in text:
                 errors.append(f"missing_issue_id:{issue_id}")
 
+    spark_endpoint_prd = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-SPARK-ENDPOINT-CONFIG-PRD.md"
+    if spark_endpoint_prd.is_file():
+        text = spark_endpoint_prd.read_text(encoding="utf-8")
+        for phrase in REQUIRED_SPARK_ENDPOINT_CONFIG_PRD_PHRASES:
+            checked.append(f"spark_endpoint_config_prd_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_spark_endpoint_config_prd_phrase:{phrase}")
+
+    spark_endpoint_issues = ROOT / ".sot/03-PROTOCOLS/CTO-CASE-SPARK-ENDPOINT-CONFIG-ISSUES.md"
+    if spark_endpoint_issues.is_file():
+        text = spark_endpoint_issues.read_text(encoding="utf-8")
+        for phrase in REQUIRED_SPARK_ENDPOINT_CONFIG_ISSUE_PHRASES:
+            checked.append(f"spark_endpoint_config_issue_phrase:{phrase}")
+            if phrase not in text:
+                errors.append(f"missing_spark_endpoint_config_issue_phrase:{phrase}")
+
     evidence_interface = ROOT / ".sot/03-PROTOCOLS/CTO-HARNESS-EVIDENCE-INTERFACE-CONTRACT.md"
     if evidence_interface.is_file():
         text = evidence_interface.read_text(encoding="utf-8")
@@ -1053,6 +1107,7 @@ def main() -> int:
             "CTO-WORK-026": "validated",
             "CTO-WORK-027": "validated",
             "CTO-WORK-029": "validated",
+            "CTO-WORK-030": "blocked",
         }
         for issue_id, expected in expected_statuses.items():
             checked.append(f"workboard_status:{issue_id}:{expected}")
@@ -1105,6 +1160,8 @@ def main() -> int:
             errors.append("workboard_missing_openai_codex_admission_json_source")
         if "CTO-CASE-MODEL-PROVIDER-ADMISSION.qwen-local-qwen3.6-35b-a3b.json" not in text:
             errors.append("workboard_missing_qwen_local_admission_json_source")
+        if "CTO-CASE-SPARK-ENDPOINT-CONFIG-ISSUES.md" not in text:
+            errors.append("workboard_missing_spark_endpoint_config_issues_source")
 
     payload = {
         "ok": not errors,